salt: add x509 extensions 'subjectKeyIdentifier' and 'authorityKeyIdentifier' to certs#4836
salt: add x509 extensions 'subjectKeyIdentifier' and 'authorityKeyIdentifier' to certs#4836ezekiel-alexrod wants to merge 2 commits intodevelopment/133.0from
Conversation
Hello ezekiel-alexrod,My role is to assist you with the merge of this Available options
Available commands
Status report is not available. |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list: |
|
LGTM |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list: |
Add `subjectKeyIdentifier` (SKI) to all 6 CA certificates and `authorityKeyIdentifier` (AKI) to all leaf certificates via the 8 x509 signing policies, per RFC 5280: - SKI on CA certs: MUST (Section 4.2.1.2) - AKI on leaf certs: MUST (Section 4.2.1.1) - AKI on self-signed CAs: MAY be omitted (Section 4.2.1.1) The AKI keyid in leaf certs references the SKI of the issuing CA, establishing the chain of trust identifier required by the RFC. On upgrade, Salt detects the missing extensions and re-issues the certificates while preserving the existing private keys. Closes: MK8S-201
ezekiel-alexrod
force-pushed
the
improvement/add-x509-extensions-CA-certs
branch
from
081d828 to
5d0dbef
Compare
|
LGTM |
Add `authorityKeyIdentifier: keyid` to all 13 leaf certificate `x509.certificate_managed` states so that Salt detects the missing extension on existing certs and re-issues them during upgrade. The signing policies alone (in pillar) control what extensions are stamped on new certs, but Salt does not compare signing policy extensions against existing certs. Adding the extension in the state itself triggers the diff detection needed for upgrade. Closes: MK8S-201
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list: |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| - signing_policy: {{ dex.cert.server_signing_policy }} | ||
| - CN: dex-server | ||
| - subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}" | ||
| - authorityKeyIdentifier: keyid |
There was a problem hiding this comment.
authorityKeyIdentifier: keyid is now specified in both the signing policy (pillar) and in each individual leaf cert state file. The signing policy already enforces this extension on all certificates it signs, so the per-cert declarations are redundant.
This duplication means if the extension needs to change in the future, it must be updated in 8 signing policies + 13 individual state files instead of just the 8 policies. Consider removing the authorityKeyIdentifier lines from the individual leaf cert state files and relying solely on the signing policies in pillar/metalk8s/roles/ca.sls.
— Claude Code
There was a problem hiding this comment.
The duplication is intentional and required for upgrade correctness.
We tested with authorityKeyIdentifier: keyid only in the signing policies (without it in the individual leaf cert states). The result: on upgrade from 132.0.2, Salt did not re-issue any leaf cert -- all leaf certs remained without AKI post-upgrade.
The reason is that the signing policy controls what extensions are stamped when a cert is issued, but x509.certificate_managed only compares properties declared in the state itself to decide whether to re-issue an existing cert. Since the signing policy lives on the CA side (pillar), the minion-side state has no visibility into it for diff detection.
So both are needed:
- The signing policy ensures new certs (fresh install) get the AKI
- The state declaration ensures Salt detects the missing AKI on existing certs and triggers re-issuance during upgrade
This was verified on 3-node EC2 clusters: without the per-cert declarations, AKI was present on fresh install but absent after upgrade. With both, it works in all scenarios.
|
ConflictThere is a conflict between your branch Please resolve the conflict on the feature branch ( git fetch && \
git checkout origin/improvement/add-x509-extensions-CA-certs && \
git merge origin/development/133.0Resolve merge conflicts and commit git push origin HEAD:improvement/add-x509-extensions-CA-certs |
3 participants
Add x509 extensions to CA and leaf certificates (RFC 5280)
Summary
Add
subjectKeyIdentifier(SKI) to all 6 CA certificates andauthorityKeyIdentifier(AKI) to all leaf certificates, per RFC 5280.Context
The certificates generated by MetalK8s were missing standard x509 extensions required by RFC 5280:
subjectKeyIdentifier: hashauthorityKeyIdentifier: keyidPer Section 4.2.1.2, the SKI value on the CA is the value that gets copied into the AKI
keyidfield of certificates issued by that CA, establishing the identifier chain: "the value of the subject key identifier MUST be the value placed in the key identifier field of the authority key identifier extension of certificates issued by the subject of this certificate".Changes
CA certificates (6 files) -- added
subjectKeyIdentifier: hashtox509.certificate_managed:salt/metalk8s/kubernetes/ca/kubernetes/installed.slssalt/metalk8s/kubernetes/ca/etcd/installed.slssalt/metalk8s/kubernetes/ca/front-proxy/installed.slssalt/metalk8s/addons/dex/ca/installed.slssalt/metalk8s/addons/nginx-ingress/ca/installed.slssalt/metalk8s/backup/certs/ca.slsSigning policies (1 file) -- added
authorityKeyIdentifier: keyidto all 8 policies in:pillar/metalk8s/roles/ca.slsLeaf certificate states (13 files) -- added
authorityKeyIdentifier: keyidto eachx509.certificate_managedstate. This is needed because the signing policies alone control what extensions are stamped on new certs, but Salt does not compare signing policy extensions against existing certs to trigger re-issuance. Adding the extension in the state enables Salt to detect the diff during upgrade.salt/metalk8s/kubernetes/apiserver/certs/{server,kubelet-client,front-proxy-client,etcd-client}.slssalt/metalk8s/kubernetes/etcd/certs/{server,peer,healthcheck-client}.slssalt/metalk8s/salt/master/certs/{salt-api,etcd-client}.slssalt/metalk8s/addons/dex/certs/server.slssalt/metalk8s/addons/nginx-ingress/certs/server.slssalt/metalk8s/addons/nginx-ingress-control-plane/certs/server.slssalt/metalk8s/backup/certs/server.slsTest data -- updated
salt/tests/unit/formulas/data/base_pillar.yamlwith matching signing policy changes.Upgrade behavior
On upgrade from 132.0.2, Salt detects
Certificate properties are different: X509v3 Extensionsand re-issues each certificate while preserving the existing private keys. The upgrade orchestration handles this throughbootstrap/pre-upgrade.sls(CA certs) and the per-node highstate (leaf certs).Test results
Tested manually on fresh EC2 instances (Rocky 8.9, 3 nodes):
Fresh install 133.0.0-dev (3 nodes):
Upgrade 132.0.2 -> 133.0.0-dev (3 nodes):
Single-node upgrade 132.0.2 -> 133.0.0-dev:
Idempotent re-deploy (highstate on existing 133.0.0-dev):
Test plan
development/133.0)Closes: MK8S-201